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Abstract —Phaser measurement units (PMUs) can be effectively 
utilized for the monitoring and control of the power grid. As the 
cyber-world becomes increasingly embedded into power grids, 
the risks of this Inevitable evolution become serious. In this paper, 
we present a risk mitigation strategy, based on dynamic state 
estimation, to eliminate threat levels from the grid’s unknown 
inputs and potential cyber-attacks. The strategy requires (a) 
the potentially Incomplete knowledge of power system models 
and parameters and (b) real-time PMU measurements. First, 
we utilize a dynamic state estimator for higher order depictions 
of power system dynamics for simultaneous state and unknown 
inputs estimation. Second, estimates of cyber-attacks are obtained 
through an attack detection algorithm. Third, the estimation and 
detection components are seamlessly utilized in an optimization 
framework to determine the most impacted PMU measurements. 
Finally, a risk mitigation strategy is proposed to guarantee the 
elimination of threats from attacks, ensuring the observability 
of the power system through available, safe measurements. Case 
studies are Included to validate the proposed approach. Insightful 
suggestions, extensions, and open problems are also posed. 

Index Terms —Cyber-attacks, cybersecurity, dynamic state es¬ 
timation, phasor measurement units, risk mitigation, unknown 
inputs. 


Acronyms 


CA 

Cyber-attack. 

DRMA 

Dynamic risk mitigation algorithm. 

DRMOP 

Dynamic risk mitigation opt. problem. 

DSE 

Dynamic state estimation. 

ILP 

Integer linear program. 

LMI 

Linear matrix inequality. 

PMU 

Phasor measurement unit. 

SMO 

Sliding mode observer. 

UI 

Unknown input. 

WDTL 

Weighted deterministic threat level. 


Nomenclature 

X, X States and the estimate, 

e State estimation error, i.e., x — x. 
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Measurements and the estimate. 

Unknown input vector and its estimate. 

CA vector and its estimate. 

Column vector of the attack detection filter. 
Residual of the attack detection filter. 
WDTL vector. 

Vector of binary decision variables which 
is equal to 1 if the ith PMU measurement 
is used for state estimation and 0 otherwise. 
Vector of eigenvalues of A. 

Linearized system state matrix. 

Weight distribution matrix for UIs. 
Linearized power system output matrix. 
Observability matrix. 

Sliding mode observer design matrices. 
Admittance matrix of the reduced network 
consisting of generators and its zth row. 
Column vector of all generators’ real and 
imaginary part of the voltage source on 
system reference frame. 

Cost weight for activating or deactivating 
the zth PMU measurement. 

Weight of the zth PMU measurement. 
Residual threshold of the zth measurement. 
SMO gain and smoothing constants. 

Rank of Bw 
Rotor angle in rad. 

Rotor speed, rated rotor speed, and rotor 
speed set point in rad/s. 

Rotor speed deviation in pu. 

Internal field voltage and its initial value in 
pu. 

Terminal voltage phasor. 

Initial machine terminal voltage. 

Terminal voltage at q axis and d axis in pu. 
Transient voltage at q axis and d axis in pu. 
Real and imaginary part of the terminal 
voltage phasor. 

Internally set exciter constants. 

Set of generators where PMUs are installed. 
Generator inertia constant in second. 
Terminal current phasor. 

Current at q and d axes in pu. 

Real and imaginary part of the terminal 
current phasor in pu. 

Voltage regulator gain. 

Damping factor in pu. 
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Exciter constant. 

Stabilizer gain. 

Electric power in pu. 

Initial mechanical input power. 

Number of PMUs, generators, and Uls. 
Stabilizing transformer state variable. 
System base and generator base MVA. 
Governor, servo, and reheater variables. 
Voltage regulator, exciter, and stabilizer 
time constants. 

Mechanical torque and electric air-gap 
torque in pu. 

Maximum power order. 

Open-circuit time constants for q and d axes 
in seconds. 

Servo and HP turbine time constants. 
Transient gain time constant, time constant 
to set HP ratio, and reheater time constant. 
Regulator output voltage in pu. 

Eeedback from stabilizing transformer. 
Voltage transducer output in pu. 
Synchronous reactance at g, d axes in pu. 
Transient reactance at g, d axes in pu. 
Steady state gain. 

Signum function. 


I. Introduction and Motivation 

C lassical supervisory control and data acquisition 
(SCADA) systems have become insufficient to guarantee 
real-time protection of power systems’ assets. Consequently, 
the research and development of wide area measurement 
systems (WAMS) have significantly increased. By utilizing 
the phasor measurement units (PMUs), WAMS technologies 
enable near real-time monitoring of the system, hence em¬ 
powering a more accurate depiction of the power-grid’s cyber¬ 
physical status—and improved grid control. 

Recently, the National Electric Sector Cybersecurity Orga¬ 
nization Resource (NESCOR) investigated many cybersecurity 
failure scenarios, which are dehned as “realistic event in 
which the failure to maintain confidentiality, integrity, and/or 
availability of sector cyber assets creates a negative impact on 
the generation, transmission, and/or delivery of power” |jT). 
Among these failure scenarios the following two wide-area 
monitoring, protection, and control (WAMPAC) scenarios mo¬ 
tivate the research in this paper: 

• WAMPAC.4: Measurement Data Compromised due to 
PDC0 Authentication Compromise; 

• WAMPAC.6: Communications Compromised between 
PMUs and Control Center. 

Specifically, we consider the problem of attacking PMU mea¬ 
surements by compromising the signals sent to the control 
center. The two aforementioned scenarios are related in the 
sense that compromising the communication between PMUs, 
PDCs, and control center can include alteration of PMU data. 

*A single PMU transmits measurements to a phasor data concentrator 
(PDC), and then to a super PDC, through a wireless communication network 
based on the NASPInet architecture j^. 


In addition to that, we assume that the dynamics of a power 
system are inherently uncertain. 


H. Literature Review & Gaps, Paper Objectives 

The most widely studied static state estimation (SSL) 0- 
Q cannot capture the dynamics of power systems well due to 
its dependency on slow update rates of SCADA systems. In 
contrast, dynamic state estimation (DSL) enabled by PMUs 
can provide accurate dynamic states of the system, and 
will predictably play a critical role in achieving real-time 
wide-area monitoring, protection, and control. DSE has been 
implemented by extended Kalman hlter Q, Q, unscented 
Kalman filter 110|- 00, square-root unscented Kalman hlter 
1141, extended particle hlter 1151, and ensemble Kalman hlter 
116|. Other dynamical state observers for power systems with 
unknown inputs (UI) or under cyber-attacks (CA) have also 
been developed, as in 00-00- 

DSE requires a reliable dynamic model of the power system, 
which can be based on post-validation of the dynamic model 
and calibration the parameters of generators, as in |[20)-p2); 
however, there is still a gap between the model and actual 
power system physics. Assuming that the dynamical models 
are perfectly accurate can generate sub-optimal estimation 
laws. In this paper we discuss how this discrepancy can be 
systematically addressed by the estimation of Uls. 

Detecting and isolating CAs in cyber-physical systems 
generally, and smart-grids specihcally, has received immense 
attention. Liu et al. present a new class of attacks, called 
false data injection attacks, targeted against SSE in power 
networks | [23l , and show that an attacker can launch successful 
attacks to alter state estimate. In |24|, ||25), the authors propose 


a generic framework for attack detection, metrics on control¬ 
lability and observability, and centralized & distributed attack 
detection monitors, for a linear time-invariant representation of 


power systems. The reader is referred to |26| for a survey on 
different types of CAs and attack detection and identihcation 
methods that are mainly based on control-theoretic foundations 
and to Q for a survey on cyber-security in smart grids. 

In | [Z7) , a security-oriented cyber-physical state estimation 
system is proposed to identify the maliciously modified set 
of measurements by a combinatorial-based bad-data detection 
method based on power measurements and cyber security state 
estimation result. However, this work is still on SSE which is 
significantly different from the DSE discussed in this paper. 

In p8) , Mousavian et al. present a probabilistic risk mit¬ 
igation model for CAs against PMU networks, in which 
a mixed integer linear programming (MILP) is formulated 
that incorporates the derived threat levels of PMUs into a 
risk-mitigation technique. In this MILP, the binary variables 
determine whether a certain PMU shall be kept connected to 
the PMU network or removed, while minimizing the maxi¬ 
mum threat level for all connected PMUs | |28l . However, the 
estimation problem with PMUs is not considered—there is no 
connection between the real-time states of the power system 
and the threat levels. In this paper, we evaluate the measured 
and estimated PMU signals, as well as the estimates of Uls and 
CAs, as an essential deterministic component in the decision- 
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making problem that determines which PMU measurements 
should be disconnected from the estimation process. 

The objective of this paper is to develop a framework that 
(a) leverages PMU data to detect disturbances and attacks 
against a power network and (b) enables secure estimation 
of power system states, UIs, and CAs. In Section III we 


present the power system model used for DSE. The physical 
meaning of the UIs and CAs is discussed in Section]^ The 
dynamical models of state-observer is discussed in Section |V] 
Given a dynamical observer, closed-form estimates for vectors 
of UIs and CAs, as well as an attack detection filter are 
all discussed in Section |VT] Utilizing the aforementioned 
estimates, a dynamic risk mitigation algorithm is formulated 
in Section IVIII Section IVIIII summarizes the overall solution 
scheme. In Section |I^ numerical results on the 16-machine 
68-bus power system are presented to validate the proposed 
risk mitigation approach. Finally closing remarks and open 
research problems are discussed in Section 

III. Power System Model 

Here, we review the nonlinear dynamics and small-signal 
linearized representation of a power system. 


A. Nonlinear Dynamics of the Power System 

The fast sub-transient dynamics and saturation effects are 
ignored and each of the Ug generators is described by the 
two-axis transient model with an IEEE Type DCl excitation 
system and a simplified turbine-governor system p9): 
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where i is the generator index. For generator i, the terminal 
voltage phasor Sj. = -f je/. and the terminal current 
phasor /(. = ir. -b jij. can be measured and used as outputs 
from actual PMU measurements. The physical meaning of all 
the parameters in Q are included in the nomenclature section. 


Remark 1. For the above power system model, we treat the 
exciter and governor control system variables as state variables 
and thus there are no control inputs in the system model. 


The Tm,, Te,, idi, iqi Va^, and A in 0 can be written 
as functions of the states: 
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and the power system dynamics can be written as: 

f x{f) = f{x) 

\ y{t) = h{x). 

In (j^ the outputs Ir^ and ir are written as functions of 
X. Similarly, the outputs cr^ and e/. can also be written as 
functions of x: 


CRi = Cdi sin Si + Cqi cos Si 
cr = Cqi sin Si — Cdi cos Si. 


(4a) 

(4b) 


B. Linearized Power System Model 

For a large-scale power system, the nonlinear model can 
be difficult to analyze, necessitating a simpler, linear time- 
invariant (LTI) representation of the system H). The power 
system dynamics can be linearized by considering a small 
perturbation over an existing equilibrium point. The following 
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assumption is needed to construct the small-signal, linearized 
model of the nonlinear power system. 


Assumption 1. For the nonlinear dynamical system in Q 
there exists an equilibrium point denoted as; 


= 






tQs 


The above assumption is typical in transient analysis studies 
for power systems and other engineering applications modeled 
by nonlinear DAEs fJI] . Denote by a; G the deviations 

of the state from the equilibrium point and G the 
deviations of the outputs from the outputs at the equilibrium 
point. The small-signal dynamics can be written as: 


\x{t) =Ax{t) 

\yqit) = CgX{t). 

where the system matrix A G is defined by the 

parameters of the generators, loads, transmission lines, and the 
topology of the power network, and Cq G (jgpgnds 

on the specific PMU placement, where q is the total number 
of PMUs with four measurements each. In what follows, we 
use the notations x and instead of x and for simplicity. 


IV. Unknown Inputs & Attack-Threat Model; 
The Physical Meaning 


Although the modeling of the power system dynamics has 
been the subject of extensive research studies, a gap still 
exists between our mathematical understanding of the power 
system physics and the actual dynamic processes. Therefore, 
assuming that the developed dynamical models are perfectly 
accurate can generate sub-optimal control or estimation laws. 
Consequently, various control and estimation theory studies 
have investigated methods that address the aforementioned 
discrepancy between the models and the actual physics—for 
power systems and other dynamical systems. 

Here, we discuss how these discrepancies can be system¬ 
atically incorporated into the power system dynamics and 
present physical interpretations of UIs and potential CAs— 
exemplifying these discrepancies. In this paper, and by defi¬ 
nition, we consider UIs, denoted by w{t), and CAs, denoted 
by Vq{f), to be unknown quantities that affect the process 
dynamics and PMU output measurements, respectively. 

A. Modeling Unknown Inputs 

The nominal system dynamics for a controlled power sys¬ 
tem can be given by x{t) = f{x,u) = Ax{t) -f Buu{t). 

Remark 2. For the 10th order power system model the con¬ 
trols, u{t), are incorporated with the power system dynamics 
and states—we consider that the controls have a dynamic 
model as well. In that case, and u{t) are both zeroes, 
unless there are other power system controls to be considered. 

Here, we consider the nominal system dynamics to be a 
function of w{t), or x{t) = f{x,u,w). For power systems, 
the UIs affecting the system dynamics can include (rep¬ 
resenting the unknown plant disturbances), (denoting the 


unknown control inputs), and Ua (depicting potential actuator 
faults). For simplicity, we can combine Ud,Uu, Ua into one UI 
quantity, w{f), defined as w{f) = [uj{t) u^{t) (f)] G 

K"”, and then write the process dynamics under UIs as 

x{t) = f{x, u, w) = Ax{t) + Buu{f) + Bwwlf), ( 6 ) 

where is a known weight distribution matrix that defines 
the distribution of UIs with respect to each state equation Xi. 
For the dynamical system in (^, matrix G 
The term Bu,w{t) models a general class of UIs such as 
uncertainties related to variable loads, nonlinearities, modeling 
uncertainties and unknown parameters, noise, parameter vari¬ 
ations, unmeasurable system inputs, model reduction errors, 
and actuator faults | |3^ , | |33| . 

For example, the equation xi = 5i = X 2 — cJo = oJi — ujq 
most likely has no UIs, as there is no modeling uncertainty 
related to that process. Also, actuator faults on that equation 
are not inconceivable. Hence, the first row of B^, can be 
identically zero. Furthermore, if one of the parameters in ([T]) 
are unknown, this unknown parameter can be augmented to 
w{f). Furthermore, the unknown inputs we are considering are 
influencing all the buses in the power system. Precisely, for any 
state-evolution Xi{t), we have: Xi{t) = Aix{t) + Byj.w{t) = 

A. ,x{t) + Vi = 1,2, where Ai is 

the *th row of the A-matrix and Bi is the *th row of the 

-matrix, which entails that each bus can be potentially 
influenced by a combination of UIs. Hence, even if we have 
so many variations, these variations are causing disturbances 
to all the states in the power system. 

Remark 3. Note that for a large-scale system it can be a 
daunting task to determine B^. Hence, state estimators should 
ideally consider worst case scenarios with UIs, process noise, 
and measurement noise. As a result, assuming a random B^, 
matrix and then designing an estimator based on that would 
consequently lead to a more robust estimator/observer design. 

B. Modeling Cyber Attacks 

As mentioned in the introduction, NFS COR developed 
cyber-security failure scenarios with corresponding impact 
analyses 0- The report classifies potential failure scenarios 
into different classes, including wide area monitoring, pro¬ 
tection, and control (WAMPAC)—this paper’s main focus. 
Here, and relevant to the physical meaning of CAs (or attack- 
vectors), we define Vq{t) G as a CA that is a function 
of time, used to depict the aforementioned WAMPAC failure 
scenarios. Note that many entries in this vector are zero as an 
attacker might not have the ability to attack all measurements 
simultaneously. Under a wide class of attacks, the output 
measurement equation can be written as 

Vqit) = ClqX{t) +Vq{t). (7) 

In this formulation, Vq{t) can encapsulate a CA with three 
different physical meanings and classes: 

1) The first class is the data integrity attacks where an 
attacker attempts to change the output measurement of 
a sensor; see p^ , p5| for recent results on data integrity 
attacks in smart grids. 
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2) The second class is the replay attacks—the attacker 
replays a previous snapshot of a valid data packet 

3) The third class is the denial of service (DoS) attack— 
the attacker introduces a denial in communication of the 
measurement. The authors in iz) discuss DoS attacks 
on load frequency control in smart grid. 

While we define Vq{t) in this paper to be a cyber-attack or 
attack vector, this definition encapsulate the above classes of 
“attacks”. Furthermore, another physical meaning for Vq(t) is 
bad data. Bad data occurs when (1) a redundant measurement 
is erroneous, which can be detected by statistical tests based 
on measurement residuals, (2) observations may be corrupted 
with abnormally large measurement errors, (3) large unex¬ 
pected meter and communication errors, or (4) malfunctioning 
sensors; see [38) for bad data definitions. Hence, bad data can 
be different from CAs—CAs attempt to adversely influence 
the estimates. However, both (bad data attacks and CAs) can 
lead to negative consequences and can share mathematically 
equivalent meaning with varying threat levels. 

C. Attacker’s Objective 

An attacker wants to cause significant changes to the trans¬ 
mitted PMU data. Since this data is bound to be used for real¬ 
time control in smart grids (see U.S. Department of Energy 
(DOE) and NASPI mandates Q, p^ , pOj), a change in 
these estimates/measurements can cause significant alterations 
to the corresponding feedback control signals. In fact, the 
executive summary from a recently published U.S. DOE report 
highlights the inevitable usability of PMU measurement^ 


control in electro-mechanical systems are discussed. Here we 
present a succinct representation of the SMO architecture 
developed in | |42) . Eor simplicity, we use x as the state vector 
of the linearized power system, rather than x and y as the 
outputs from PMUs, rather than y. As discussed in previous 
sections, the linearized power system dynamics under UIs and 
CAs can be written as 

f x{f) = Ax(f) + 

\yq(t) = CqX(t) -\-Vq{t), 

where for the system described in Q there are 10 rig states, 
Tiw unknown plant inputs, and 4 q measurements. 


Assumption 2. The above dynamical system is said to be 
observable if the observability matrix O, defined as O = 
[Cq (CgA)T ... has full rank. The full- 

rank condition on the system implies that a matrix Lq G 
]^i0ngx4g found such that matrix (A — LqCq) is 

asymptotically stable with eigenvalues having strictly negative 
real parts. While this assumption might be very restrictive, 
it is not a necessary condition for the estimator we discuss 
next. This assumption is relaxed to the detectability of the pair 
{A, Cq). The power system is detectable if all the unstable 
modes are observable—verified via the PBH test: 


rank 


XJ-A 

. Cq , 


lOrig, V Ai > 0, 


where Ai belongs to set of eigenvalues of A. Also, we 
the observer rank-matching condition is satisfied, that is: 
rank(CgBu,) = rank(Bu,) = (. 


V. State Estimation Method Under UIs and CAs 
W ith the integration of PMUs, an observer or a DSE 
method can be utilized to estimate the internal state of the 
generators. Observers can be viewed as computer programs 
running online simulations—they can be easily programmed 
and integrated into control centers. Observers differ from KP- 
based estimators in the sense that no assumptions are made on 
the distribution of measurement and process noise, i.e., statis¬ 
tical information related to noise distribution is not available. 
The objective of this section is to investigate a robust observer 
for power systems with real-time PMU measurements. 

A. Sliding-Mode Observer for Power Systems 

A variable structure control or sliding model control is 
a nonlinear control method whose structure depends on the 
current state of the system. Similar to sliding mode controllers, 
sliding mode observers (SMO) are nonlinear observers that 
possess the ability to drive the estimation error, the difference 
between the actual and estimated states, to zero or to a 
bounded neighborhood in finite time. Similar to some Kalman 
filter-based methods, SMOs have high resilience to measure¬ 
ment noise. In approaches for effective sliding mode 

^From a DOE report: The Western Electricity Coordinating Council has 
determined that it can increase the energy flow along the California-Oregon 
Intertie by 100 MW or more using synchrophasor data for real-time control — 
reducing energy costs by an estimated $35 million to $75 million over 40 years 
without any new high-voltage capital investments m 


The objective of an observer design is to drive the estimation 
error to zero within a reasonable amount of time. Accurate 
state estimates can be utilized to design local or global state 
feedback control laws, steering the system response towards 
a desirable behavior. Let x{f) and e{t) — x{t) — x{f) denote 
the estimated states and the estimation error. 


B. SMO Dynamics & Design Algorithm 


The SMO for the linearized power system dynamics ([^ can 
be written as 


I x(t) = Ax(t) -i-Lq(yq(t) -i/git)) - B^E(yq,yq, rj) 
\yqit) = CqX{t), 

where j/g is readily available signals for the observer, and E(-) 
is defined as 


E{-) 


Fqiijq - yq) 

'^\\Fq{yq-yq)h+^ 

0 


if Fqiiiq 
if Fq{y^ 


yq) 4 0 
yq) = 0, 


where: 


• 77 > 1 is the SMO gain and is a smoothing parameter 
(small positive number), 

• Fq G satisfies the following matrix equality 
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• Lg G is chosen to guarantee the asymptotic 

stability of A — LqCq. 

Hence, for any positive definite symmetric matrix Q, there is 
a unique symmetric positive definite matrix P G Ki0"9xi0"s 
such that P satisfies the Lyapunov matrix equation, 

(A - LqCq^P + P{A - LqCq) =-Q, P = P^ > 0. 

The nonlinear vector function, E{-), guarantees that the esti¬ 
mation error is insensitive to the UI w{t) and the estimation 
error converges asymptotically to zero. If for the chosen Q, 
no matrix Fq satisfies the above equality, another matrix Q 
can be chosen. Note that the SMO can deal with a wide 
range of unknown parameters and inputs (affecting states 
evolution), yet it cannot tolerate a severe CA against the 
PMU measurements. In this paper, the framework we develop 
addresses this limitation through the dynamic risk mitigation 
algorithm that utilizes CAs estimation and a detection filter 
(Sections |Vl] and [Vnl l. 

A design algorithm for the aforementioned SMO can be 
found in | |42) , which presents a systematic way of obtain¬ 
ing the gain matrices for reduced-order observers. Here, we 
present a simple solution to the observer design problem. 

The above boxed equations are the main matrix-equalities 
needed to solve for the observer matrices Fq,P, and Lq — 
guaranteeing the asymptotic stability of the estimation error, 
and the convergence of the state-estimates to actual ones. 
However, these equalities are bi-linear matrix equalities, due 
to the presence of the PLqCq term in the Lyapunov matrix 
equation. Using the LMI trick by setting Y = PLq, we can 
rewrite the above system of linear matrix equations as: 

A^P + PA-C^^Y^ - YCq = -Q 

P = P^ ( 10 ) 

FqCq = BlP. 


After obtaining P,Fq,Y, and computing = P~^Y, 
the SMO can be implemented via a numerical simulation. 
The above system of equations can be easily solved via 
any semidefinite program solvers such as CVX | [43) , p^ , 
YALMIP or MATLAB’s LMI solver. 

VI. Asymptotic Reconstruction of UIs & CAs 

In last section, we introduce real-time observers for a power 
system. Here, we present estimation methods for the vectors 
of UIs, w{t), and potential attacks, Vq{t). To our knowledge, 
this approach has never been utilized in power systems with 
observers. This approach we discuss here, however, does not 
provide strict guarantees on the convergence of the estimates 
of these quantities, yet it is significant in the developed risk 
mitigation strategy. To guarantee the detection of CAs and 
compromised PMU measurements, we also discuss an attack 
detection algorithm with performance guarantees. 

^The computation of these matrices is performed offline, i.e., the observer 
is designed apriori. In Section [I^ we present the number of free and linear 
variables, as well as the offline running time of the observer design problem 
for the considered power system. 


A. Estimating Unknown Inputs 

As discussed earlier, the designed SMO guarantees the 
asymptotic convergence of the state estimates to the actual 
ones. Substituting the differential equations governing the 
dynamics of the power system (|^ and the SMO © into the 
estimation error dynamics, we obtain 

e{t) = x{t) — x{t) (11) 

= {A- LqCq) {x{t) - x{t)) + ByjW{t) 
-BwE{yq,yq,'q) 

= {A- LqCq) e{t) -I- B^w{t) - B^E{e, ry). (12) 

This SMO is designed to guarantee that x{t) is the asymptotic 
estimate of x{t). Since it is assumed that B^j is a full-rank 
matrix, the following UI approximation holds: 

w[t) « F{yq{t), yq{t), y). (13) 

The above estimates, as reported in | |46) , requires further low- 
pass filtering which can be very heuristic. Here, we suggest 
an alternative to the UI estimation assuming that the state 
estimates converge to the actual ones asymptotically. 

First, we write the discretized version of the power system 
dynamics: 

x{k -f 1) = Ax{k) -f Buu{k) + Byjw{k), 

where A = B^ = Jq dr, and B^ = 

Jo dr are the discrete version of the state-space matri¬ 

ces. Since the observer design guarantees the convergence of 
the state estimates, x(t) or x{k), and x{k) is available for all 
k, then the vector of UI w{k) can be approximated as follows. 
Substituting x{k) by x{k) in the discretized dynamics of the 
power system, we obtain: 

x{k -f 1) = Ax{k) -f Buu{k) + B^wik). 


Then, another estimate for the UI vector can be generated as: 


w{k) = ^BiuJ ^x(k -f 1) — Ax(k) — Buu{k)^ , 


(14) 


assuming that B^ has full column rank and its left pseudo¬ 
inverse exists. Note that this estimation of the UI vector uses 
the generated estimates of one subsequent time period ix{k-\- 
1)) and the actual control (if the latter exists in the model). 
This assumption is not restricting as observers/estimators are 
computer programs that run in parallel with the plants or 
dynamic processes. 


B. Estimating CAs 

Attacks against synchrophasor measurements can be mod¬ 
eled in various scenarios. One possible scenario is the injection 
of malicious signals that alter the values of the measurements 
in the data packets sent from PMUs to PDCs and control 
centers, in addition to PMUs malfunctions. As in ([^, a real¬ 
time CA Vq{t) is included to alter the PMU measurements. 
The objective of this section is to apply an attack detection 
technique based on the estimation of CAs. Assuming an 
identical SMO architecture as the one presented in the previous 
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section, an estimate of the CA, Vqit), is derived in | |4^ and 
its dynamics takes the following form: 

v^{t) = -{F,C^L^)\F,C^B^){E{t) - w{t)) (15) 

-^{^FqCqLq)^FqVq{t^ , 

where w{t) is given in 0, Fq and Lq are SMO design 
parameters, E{t) is selected such that the system is in sliding 
inode along FCqe{t) = 0. In | [^ , the authors assume that 
Vq{t) « 0, which might not be a reasonable assumption in our 
application since an CA can be designed such that Vq{t) ^ 0. 
Rearranging ( [TS] ), we obtain 

'vq(t) = V\^Vq{t)^V\^V^m{t), (16) 


where 


Vi 


{FqCqLq)^Fq S ^^9X4,^ ^ 




w' {t) E' (t) 


[{FqCqLqYiFqCqB^) - {FqCqLq)\FqCqB^)] 

g ]^4(7X(n„ + 10ng)^ 


Note that Vi is invertible. A more accurate estimate for the 
CA can further be obtained as 

Vq{t) = e^^ ^^~*°'‘vq{to) + f e^i 

Jto 


C. Attack Detection Filter 

While the CA estimates generated from the methods dis¬ 
cussed above can instantly identify compromised measure¬ 
ments for few time instances after the detection, the attack can 
propagate and influence the estimation of other measurements. 
In the case of lower sampling rates or computational power, 
another attack detector can be used. In | |25| , a robust attack 
identification filter is proposed to detect the compromised 
nodes for longer time periods. We tailor this filter to our 
dynamical representation of the power system, which is also 
a dynamical system and takes the following form: 


l{t) ={A + AC],Cq)l{t) + AC^^y^{t) 
r{t) = yJt) - Cql{t), 


(17) 


where l{t) G is the state of the filter and r{t) G 

is the residual vector that determines the compromised 
measurements—the reader is referred to | |25l for more details 
on the Alter design. The initial state of the Alter, I (to), is by 
definition equal to the initial state of the plant x{to). Since 
initial conditions might not be available, the SMO discussed 
in Section V-A is utilized to generate a:(to) ~ x{to). Hence, 


the SMO is necessary for the detection of the attack, i.e., we 
assume that the SMO is utilized for an initial period of time 
when measurements are not compromised. 

After generating the converging estimates of the states and 
UIs, the Alter ( [T7] i generates real-time residuals r{t). These 
residuals are then compared with a threshold to determine the 
most infected/attacked nodes. The residuals here are analogous 
to the estimates of the CAs, Vq{t), which we derive in the pre¬ 
vious section. It is signiflcantly crucial for the attack detection 
Alter and the CA estimators to obtain online computations of 
the residuals and estimates—the attacked measurements might 


adversely influence the estimation as the attacks can propagate 
in many networks. 

The risk mitigation algorithm we develop in the next section 
utilizes r{t), Vq{t), and w{t) to determine the authenticity of 
PMU measurements, and identify the to-be-diagnosed mea¬ 
surements, while guaranteeing the observability of the power 
system through available measurements. 

VII. Risk Mitigation—A Dynamic Response Model 


Here, we formulate a risk mitigation strategy given estimates 
of measured and estimated outputs and reconstructed UIs 
and CAs. The formulation uniquely integrates dynamic state 
estimation, considering attacks and UIs, with a integer linear 
programming formulation. 

A. Weighted Deterministic Threat Level Formulation 


We consider the measured and estimated PMU signals as 
an essential deterministic component in the decision making 
problem that decides which PMUs should be disconnected 
from the network for a period of time, while performing 
typical troubleshooting and diagnosis. 


Deflnition 1. Given a dynamic system simulation for r C 
[fcT, (fc + 1)T], where T is any simulation time period, the 
weighted deterministic threat level (WDTL) vector 2 : for all 
PMU measurements is deflned as 

rik+i)T 


z = 


I kT 


ViVqiT-) -VqiT)) -fW(u?(T))' 


dr, (18) 


where Y G g ]j4qxn™ constant weight 

matrices that assign weights for the estimation error (y^ — yfi) 
and UI approximation w. Note that (w{t)Y is equivalent to 
the square of individual entries. 


The scalar quantity Zi, the ith WDTL, depicts the threat 
level present in the ith PMU signal. Ideally, if Zi is large the 
associated PMU must be isolated until the attack is physically 
mitigated. The quantity {y^lj) — y^ir)') can be replaced with 
either Vq(t) or r(t). 


B. Dynamic Risk Mitigation Optimization Problem 

Deactivating a PMU may lead to a failure in dynamic state 
estimation, as explained in the following Remark Hence, 
an optimization-based framework is proposed to solve the 
problem with occasionally conflicting objectives. 

Remark 4. Recall that to design a dynamic state estimator 
under UIs and CAs, the power system deflned in ([^ should 
satisfy certain rank conditions on the state-space matrices. For 
example, for the SMO observer, the following condition has 
to be satisfied: 


rankiC qBy^) = rank(Su,) = 

in addition to the detectability condition (Assumption |^. 
Deactivating a PMU causes a change in the Cq matrix and 
might render the observer design infeasible. 








Definition 2. Let be a binary decision variable that deter¬ 
mines the connectivity of the zth PMU measurement in the 
next time period (i.e., r G [fcT, {k + l)r]): 

0 O - 7* > 0 
1 O Zi — < 0. 


executed in real time, whereas the DRMOP is solved after 
generating the estimates in the former problem. Here, we 
present an algorithm that jointly integrates these two problems, 
without including the rank constraints in the computation of 
the DRMOP solution, and hence guaranteeing fast solutions 
for the optimization problem. 


If the WDTL for the zth measurement is smaller than a 
certain threshold -fi, the corresponding measurement qualifies 
to stay activated in the subsequent time period. This combi¬ 
natorial condition can be represented as 


Zi — "fi + TTiM > 0 (19) 

Zi-li- < 0 (20) 


where M is a large positive constant We now formulate 
the dynamic risk mitigation optimization problem (DRMOP): 


4q 

maximize 7 a^TTi ( 21 ) 

TT 

2 = 1 

subject to TTi = {0,1}, Vz = {1,2,... 49 } (22) 

Zi-'yi + TTiM > 0 (23) 

Zi - 'yi - {I - tti)M < 0 (24) 

4q 

Y, ^ (25) 

i=l 


rank(Cg(7r)B„ 


\I- 

. C,(7r) 


)=C 

= lOrzg,V Ai > 


(26) 

0.(27) 


To increase the observability of a power system, the formulated 
optimization problem—an integer linear program (ILP)— 
maximizes the weighted number of active PMU measurements 
in the next time period, finding the PMU measurements that 
have to be disabled for some period of time while ensuring 
the feasibility of dynamic state estimation. Albeit there are at 
most q PMUs, we assume that there are Aq tt^’s. 

The first two constraints depict the logical representation 
of the binary variable tt^ in terms of the WDTL and the 
threshold. The third constraint represents a weight for each 
PMU. For example, if the zth PMU measurement is from 
a significantly important substation, the system operator can 
choose the corresponding weight /?i to be greater than other 
weights. The two rank constraints (|26|)-(|27|) ensure that the 
dynamic state estimation formulated in the previous section 
is still feasible for the next time period; see Assumption 
Note that this problem is different from the optimal PMU 
placement problem pS) , p9| , in the sense that we already 
know the location of the PMUs. The DRMOP (|2T|l-(|27ll is a 
highly nonlinear, integer programming problem that cannot be 
solved efficiently—due to the two rank constraints. In the next 
section (Section VII-C[ ), we present a dynamic risk mitigation 
solution algorithm by relaxing these assumptions. 


C. Dynamic Risk Mitigation Algorithm 


In Sections VII-A and VII-B we investigate two related 
problems for different time-scales: the estimation problem is 


Algorithm 1 Dynamic Risk Mitigation Algorithm (DRMA) 

1: compute small-signal system matrices A, Bw,C q 
2 : obtain SMO matrices Lq,Fq by solving i fTO] ) 

3: formulate the SMO dynamics as in 0 
4: set k ~ 0 

5: forr G [kT + ^ , {k + 1)T] 

6: measure the PMU output z/(r) 

7: compute r{r),y^{T),w{T) from ( fTT) , i|^, i [T4l > 

8: compute WDTL z from given Y, U 

9: solve the DRMOP l|2T)-(|25i for tt = [zri, ■ • ■ , 7r4q] 

10: update Cq = Cq{-K) 

11: if@and([^ are satisfied 

12: go to StepfTTI 

13: else 

14: solve the DRMOP with relaxed conditions on 

some TTi’s and update Cq 

15: end if 

16: end for 

17: set k ■.= k + U go to Step|^ 


Algorithm[T]illustrates the proposed dynamic risk mitigation 
algorithm. First, the small-signal matrices are computed given 
the nonlinear power system modeQ The sliding-mode ob¬ 
server is then designed to ensure accurate state estimation, as 
in Section [V-A| Since the rank-constraints are computationally 
challenging to be included in an integer linear programming. 
Algorithm 1 provides a solution to this constraint. 

Then, for r G [kT -|-^,(fc-|-l)r], the quantities r,y^, and 
w are all computed. We assume that the computational time 
to solve the DRMOP ([2T]i-([25]l is After solving the ILP, 
the output matrix Cq is updated, depending on the solution 
of the optimization problem, as the entries in the Cq reflect 
the location of active and inactive PMUs. The matrix update 
might render the state estimation problem for r G [(/c -f IjT-l- 
{k + 2)T] infeasible as the rank conditions might not be 
satisfied. To ensure that, these conditions can either be made 
a constraint in the optimization problem or a condition in the 
mitigation algorithm. If this rank conditions are not satisfied, 
some TTi’s can be reset and the DRMOP can be solved again. 
The counter k is then incremented and the algorithm is applied 
for the following time periods. 

Remark 5. For the developed algorithm, we assume that 
we are applying the observer from GZ) to generate dynamic 
estimates, given that the power system is subjected to UIs 
and CAs. However, This assumption is not restricting. In 
fact, any other robust observer/estimator may be used for 
state estimation, and hence, the algorithm can be changed to 
reflect that update in the observer design. Subsequently, the 
matching rank condition can be replaced by other conditions 
that guarantee a fast reconstruction of state estimates. 

^Note that for the 10th order model, the controls are incorporated in the 
power system dynamics, and hence B„ and u{t) are zeros, yet the algorithm 
provided here is for the case when known controls are considered. 
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Fig. 1. A flow chart depicting a high-level representation of the proposed risk mitigation strategy; see Section [VlII| 


Remark 6. The DRMOP assumes an initial power system 
configuration, i.e., PMUs are placed in certain locations. 
Since the Cq reflects the latter, the observer design would 
differ for various configurations of PMUs. This influences 
the state and UI estimation, and hence the generation of the 
real-time weighted deterministic threat levels for all PMUs. 
Thus, the solution to the DRMOP varies for different PMU 
configurations, while guaranteeing the real-time observability 
of the power system through available measurements. 


VIII. High-Level Solution Scheme for the Risk 
Mitigation Strategy—A Summary 


This section serves as a summary of the overall solution 
scheme we develop in this paper. The high-level details of this 
scheme is illustrated in Fig. [T] The presented solution scheme 
requires two essential inputs: 


(a) The potentially-incomplete knowledge of the power sys¬ 
tem model and parameters (Section [nl| ; 

(b) Real-time PMU measurements from a subset of the 
power network model (Section [In|). 


Note that (a) and (b) are related in the sense that if the knowl¬ 
edge of a generator’s parameters is available, it is possible to 
associate this knowledge to specific PMU measurements. 

Given these two inputs—(a) is static knowledge, while (b) 
is continuously updated—we construct a real-time depiction 
of the nominal system, i.e., the power system experiencing 
no CAs or major disturbances. This step is important as it 
verifies PMU measurements and the system model. Using the 
latter and real-time PMU data, we estimate unknown power 
system parameters and UIs (Section VI i. Given that we have 
more accurate parameters, the detection of malfunctions, CAs, 
and major disturbances becomes possible; see Fig. 

However, the detection of a CA does not necessarily 
imply the knowledge of the source of attacks. Hence, the 
identification of PMU channels with faulty measurements 
is needed after the detection of such events (Section |vn|. 
The faulty or attacked power system components are then 
diagnosed and reconfigured. The reconfiguration/diagnostics 


of the grid should, however, guarantee the observability of the 
grid (Section VII-C| l. After guaranteeing the latter, the power 
system is brought back to its initial nominal state. 


IX. Case Studies 

The developed methods are tested on a 16-machine, 68- 
bus system—extracted from Power System Toolbox (PST) 


|50|. This system is a reduced order, equivalent version of 


the interconnected New England test system and New York 
power system m- The model discussed in Section is 
used and there are 160 state variables. A total of g = 12 
PMUs are installed at the terminal bus of generators 1, 3, 4, 
5, 6, 8, 9, 10, 12, 13, 15, and 16. Here this PMU placement 
is randomly chosen, while installing the PMUs at optimal 
locations to guarantee the best observability of the system 
dynamic sates is out of the scope of this paper. More details 
for that problem can be found in | [48) , p^ . The sampling 
rate of the measurements is set to be 60 frames per second to 
mimic the PMU sampling rate. 

In the rest of this section, we present results for two 
scenarios. For Scenario I, dynamic state estimation only under 
UIs is performed and an illustration on the estimation of UIs 


and states via the methods discussed in Section VI is provided. 
For Scenario II, we add CAs to some PMU measurements and 
show how the DRMOP can be utilized to estimate, detect, 
and filter out the presence of these attacks by leveraging the 
generated estimates from Scenario I. 


A. Scenario I: Dynamic Reconstruction of UI <& DSE 

The objective of this section is to show the performance 
of the SMO in Section |V-A| in regards to the estimation of 
(a) the states of the 16 generators (160 states) and (b) UI 
reconstruction method (developed in Section [VT| . We perform 
dynamic state estimation over a time period of 20 seconds. 
We consider this experiment as a baseline for the Scenario 
II. The simultaneous estimation of states and UIs can be then 
utilized to determine the generators that are subject to the most 
disturbances through available PMU measurements. After the 
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estimation of states and UIs, these quantities are then used to 
detect a CA against PMU measurements. 

Arbitrary Unknown Inputs As discussed in Section |IV] 
the UIs model a wide range of process uncertainties ranging 
from load deviations, bounded nonlinearities, and unmodeled 
dynamics, which can significantly influence the evolution of 
states due to their nature. However, UIs are not physically 
analogous to malicious CAs, i.e., UIs exist due to phenomena 
related to the physics of the power system modeling. 

For many dynamical systems, it can be hard to determine 
the impact of UIs. Hence, an ideal scenario would be to use 
different forms of time-varying UI functions, and a randomly 
generated matrix with significant magnitude. Here, we 
consider that the power system is subject to six different UI 
functions with different variations, magnitudes, and frequen¬ 
cies. The considered vector of UIs is as follows: 


w{t) 


wi{t) = ki + e + max ^0,1 — 

W2{t) = fci sinji/iii) 

W3{t) = fci cos(i/)it) 

W4{t) = fc2 square('02t) 

W 5 {t) = A;2 sawtooth('!/)2i) 

we{t) = k2 (sin(V>2^) -f e“®*) 


where ki, ^2 and ipi, '(/)2 denote different magnitudes and 
frequencies of the UI signals, respectively. We choose -tpi = 
5, '02 = 10. To test the developed SMO and the UI estimator, 
we use small and large values for ki and fc 2 - Specifically, we 
choose two set of values for the magnitude as ki = 0.01, k 2 = 
0.02 and fci = 1, fc 2 = 2. 

The Bu, G ]^i60x6 matrix is randomly chosen using the 
randn function in MATLAB. The Euclidean norm of 
is ||Suj|| = 13.8857 which is significant in magnitude. 
Consequently, since B^j is not sparse, the six chosen UIs 
influence the dynamics of the 160 states of the power system, 
i.e., Xi{t) = aix{t) iWi{t), where ai is the first 

row of the A matrix. The above UI setup is used in this 
experiment as an extreme scenario, as this allows to test the 
robustness of the estimator we develop in this paper. 


Remark 7. Using large magnitudes for the UIs (i.e., large ki 
and ^ 2 ) leads to unrealistic behavior of the power system as 
each differential equation is adversely influenced by an un¬ 
known, exogenous quantity as described above. This scenario 
is less likely to occur in real applications, yet the result is 
included to show the robustness of the simultaneous estimation 
of the states and the proposed UI estimation scheme. 


The solution to this optimization problem is done offline, 
as most observer gain matrices are computed before the actual 
dynamic simulation. The simulations are performed on a 64- 
bit operating system, with Intel Core i7-4770S CPU 3.10GHz, 
equipped with 8 GB of RAM. The execution time for the 
offline SMO design ( [T0| ) is 5 minutes and 39 seconds (CVX 
converges after 42 iterations); see Remark]^ for a discussion 
on the running time of the offline SMO after the detection 
of attacks. The dynamic simulations for the power system and 
the observer dynamics are performed simultaneously using the 
odelSs solver with a computational time of nearly 6 seconds. 

State & UI Reconstruction After flnding a solution 
for ( [T0| l, we simulate the power system and generate estimates 
of the states x(t) and the UIs w(t) via the SMO design (|^ 
and UI estimate ( [l4| ). In Fig. we show the norm of the state 



Fig. 2. Norm of the state estimation error for different magnitudes of UIs. 
A logarithmic scale is used for y-axis, as initial values for ||ea;(f )||2 
much higher than subsequent ones. For larger magnitudes of UIs, the norm 
converges to a larger value, albeit it is still very small. 

estimation error for the above two sets of values of fc’s. The 
estimation error norm is ||ea;(f )||2 = \\x{t) — x{t)\\ 2 , VtG 
[0,r], which indicates the performance of the SMO for all 
time instants and all generators. It is clearly seen that the 
estimation error converges to nearly zero—even for high 
magnitudes of UIs. This demonstrates that the state estimates 
for all generators are converging to the actual states of the 
power system. Moreover, Fig.j^shows the estimation of the six 
UIs given above with ki = 1, ^2 = 2. While the six UIs vary 
in terms of magnitude, frequency, and shape, the estimates 
generated by ([l4| are all very close to the actual UIs. 


SMO Design After computing the linearized state-space 
matrices for the system {A and Cq) and given B^, we solve 
the FMIs in ([^ using CVX on Matlab. The SMO 
parameters are 77 = 8 and u = 0.01. The numbers of linear 
and free variables involved in the semidefinite programming 
are 25760 and 796^ with 13840 constraints. The number of 
variables can be computed by counting the number of unique 
entries of the FMI in ( [Tol l. 

^The number of linear and free variables in is equal to the number of 
entries of the symmetric positive definite matrix P (linear vars.), and Lq, Fq. 
Since P S [gg number of linear variables is 

(160 + 1)(160) = 25760, while the number of free variables is equal to 
riu, • 4g-|- lOrig -dq = 6 ■ 48-1- 160 • 48 = 7968. 


B. Scenario II: DSE Under UIs & CAs 

Here we present the case when some PMU measurements 
are compromised by a CA. The attacker’s objective is to 
drastically alter the PMU measurements, thus influencing the 
decisions that could be made by the system operator. First, 
we discuss the attacker’s strategy, i.e., what attack-signals 
are manipulating the measurements. Second, we present an 
algorithm that detects the presence of a CA and identifies 
the attacked measurement(s). Third, given the estimates of 
the attacks and state- and UTestimation results, we apply 
the DRMOP and the DRMA. Finally, we show the impact 
of applying risk mitigation strategy on state estimation. 
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Fig. 3. Converging estimation for the 6 UIs discussed above. The UI estimator 
successfully tracks the UIs for fci = 1, fc 2 = 2 for different shapes of the 
UIs. The results for the UI reconstruction for ki = 0.01, fc 2 = 0.02 are 
omitted; however, the results are similar to the case we present in this figure. 


Artificial Cyber-Attacks We present a hypothetical CA 
vector on four PMU measurements, which are the fifth to 
eighth measurements, i.e., [ei^g(^) eflg(f) eR,g{t)] . 

Note that these four measurements come from the PMUs 
installed at the terminal bus of Generators 6 , 8 , 9, and 10, 
respectively. Although we denote manipulation of some signals 
an attack, this nomenclature is not restrictive; see Section HYl 
and the NASPI report on faulty PMU measurements m- 
Since a total of 4 g = 48 measurements are available, the CA 
Vg{t) G can be constructed in terms of different unknown 
signal structures, as follows: 

Vq{t) = [O 4 cos(f) 2 sawtooth(f) 3square(f) 4sin(f) 040 ]^ , 

where the cosine, sawtooth, square, and sine signals are 
the actual attacks against the four PMU measurements with 
different magnitudes and variations. 

Attack Identification & Residual Computation Under the 
same UIs from Scenario I, a CA is artificially added after 
t = 20s. Fig. 1^ shows the generation of residual vector, r(t), 
from ini- It is seen that the residuals of measurements 5-8 
with artificially added CAs are significantly higher than the 
other measurements without CAs. 

Dynamic Risk Mitigation Algorithm After designing the 
SMO for the power system, achieving desirable state and 
UI estimates (Scenario I), and generating residuals that are 
estimates of CAs, we simulate the DRMOP. We assume 
that all PMU measurements have the same weight in the 
objective function, i.e., = 1, Vi = 1,... ,48. The WDTL 

vector z is computed for the 1 -second time horizon (for 
t = [ 20 , 21 ]), and generic threshold is chosen as 7 = 10 . 
Given z{t) and the parameters of the DRMOP, the ILP is 
solved via YALMIP p^ . The optimal solution for the ILP 
yields tt = [I 4 O 4 I 44 ] , hence the PMU measurements 5-8 
are the most infected among the available 48 ones. This result 



Fig. 4. Residuals of the 48 measurements generated by the attack detection 
filter jl7) . The residuals are notably similar to the actual attacks. For example, 
for t = 20.05s, rf(t) = 2.986, while VY{t) = 3square(t) = 3. 

confirms the findings of the attack detection filter in Fig. [^ 

Following Algorithm 1, we check whether the solution gen¬ 
erated by YALMIP violates the rank condition (Assumption 2). 
As measurements 5-8 are removed from the estimation process 
for diagnosis, the updated Cg matrix, now a function of tt, 
is obtained —Cg now has 44 rows instead of 48. The system 
is detectable and the rank-matching condition is still satisfied. 
Hence, no extra constraints should be reimposed on the ILP, 
as illustrated in Algorithm 1. After guaranteeing the necessary 
conditions on the existence of the dynamic state estimator, and 
updating Cg, simulations are performed again to regenerate 
the state estimates and weighted residual threat levels. 

Post-Risk Mitigation Fig. [^ illustrates the impact of CAs 
on the state estimation process before, during, and after the 
attack is detected and isolated. Following the removal of the 
attacked measurements (and not the attack, as the attack cannot 
be physically controlled) at f = 21 s due to the risk mitigation 
strategy, the estimation error norm converges again to small 
values. Fig. [^ shows the impact of this strategy on DSE 
for Generator 1. During the short-lived CA, state estimates 
diverge. However, the risk mitigation strategy restores the 
estimates to their nominal status under UIs and CA^ 

Remark 8. The DRMA requires the redesign of the SMO 
immediately after the detection of the compromised PMU 
measurements. Since Cg has less rows as the number of 
measurements are supposedly reduced after some of them are 
isolated, the SMO is designed again for an updated observer 
gain matrices Lg and Fg. For a large scale system, the solution 
of the LMI in ( fTO) ! can take a significant amount of time. 
Hence, a database of the most possible PMU measurement 
configurations (different C^’s) with corresponding SMO LMI 
solutions (different Lg’s and Fg’s) can be obtained offline, 
and stored when needed to guarantee a minimal off-time. 

Note that for a different time period, the power system 

®While the CAs are still targeting the four PMU measurements after t = 
21s, the attacks become futile. Consequently, their impact on state estimation 
becomes nonexistent, as the four attacked measurements are isolated from the 
estimation process. 





































12 



Fig. 5. Norm of estimation eiTor before, during, and after the CA is detected 
and isolated. For 20 s < f < 21s, the norm increases exponentially, signifying 
the occurrence of an attack or a significant disturbance. After the removal of 
the artificial attack due to the outcome of the DRMOP, the estimation error 
norm converges again to small values. 
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Fig. 6. Estimation of the states of Generator 1 before, during, and after the 
detection and isolation of the CA. After the DRMA succeeds in detecting the 
compromised measurements and isolating them from the estimation process 
after t = 21s, the state estimates converge again to the actual ones. 


feedback control. In many cases, the estimates are used for 
control; in other cases, they are used for real-time depictions 
only. Here we discuss how erroneous, attacked state-estimation 
can influence power system stability if these estimates are used 
for control or re-dispatch purposes, such as the example given 
in Section IV from the DOE report pO] . 

Since significant frequency deviations are remediated by 
corrective actions through feedback, e.g., re-dispatch or AGC- 
like control strategies, misleading values for a generator’s fre¬ 
quency deviations can lead to erroneous control actions. Fig.|^ 
shows the frequencies of Generators 12-16, before, during, 
and after a CA, depicting the impact that the DRMOP has on 
the estimation of frequency deviations given UIs. As illustrated 
in Fig. 1^ without near-immediate identification and detection 
of attacked measurements, wrong corrective actions might be 
taken. This can steer the system to instability, while the system 
is in reality not experiencing high frequency deviations; rather, 
it is experiencing a CA against measurements. 

From Fig. and prior to a CA, the frequencies are 60 
Hz (377 rad/sec). During a CA, the estimated frequencies of 
the five generators indicate serious system instability, which 
could be wrongly mitigated by feedback control actions. As 
discussed in the previous section, the DRMOP succeeds in 
identifying the wrong measurements, and the frequencies are 
stable again—indicating a normal grid-condition. Note that the 
fluctuations are due to the unknown input vector w{t). 



and the PMUs might encounter a different set of UIs or 
attack-vectors. Furthermore, the optimization problem can be 
redesigned to allow for the inclusion of the possibly, now-safe 
measurements. The optimal solution to the DRMOP is a trade¬ 
off between keeping the power system observable through the 
possible measurements—enabling state estimation and real¬ 
time monitoring—and guaranteeing that the system and the 
observer are robust to UIs and CAs. 

C. Impact on Post-Estimation Process 

In power networks, many substations are not equipped with 
PMU devices. Hence, a robust DSE routine—that leverages 
measurements from neighboring nodes in a network—is neces¬ 
sary in generating state-estimates for the nodes without PMUs. 
As discussed earlier, a major purpose behind DSE is to use 
estimation of unknown, unmeasurable quantities for improved 


Fig. 7. Estimated frequencies of the Generators 12-16 before, during, and 
after a CA. The figure illustrates the impact that the DRMOP has on the 
estimation of frequencies of generators in a power network. 

X. Closing Remarks & Future Work 

PMUs can be utilized for ameliorated monitoring and 
control of the smart grid. The humongous size of data gen¬ 
erated by PMUs—communicated to the operators in control 
centers—can be used for a more accurate depiction of how 
power system is behaving, and occasionally misbehaving. 

A. Paper Contributions & Future Work 

For ameliorated risk mitigation due to CAs in power net¬ 
works, the focus of the research in this paper is on the unique, 
seamless integration of three intertwined components: 

• First, we utilize a robust dynamic state estimator for 
perturbed grid dynamics. Then, estimates of the system’s 
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UIs and possible CAs are obtained. These estimates are 
then utilized for attack detection and isolation. 

• Second, the state- and UI estimation components are 
utilized in an optimization scheme to determine the most 
faulty measurements with an attack detection filter. 

• Finally, a risk mitigation strategy is employed to guaran¬ 
tee a minimal threat-level, ensuring the observability of 
the power system through available safe measurements. 

Our future work in this area will focus on three main tasks: 

• Deriving closed-form solutions for simultaneous UIs and 
CAs estimates for a nonlinear power system model; 

• Extending the dynamic risk mitigation problem by in¬ 
corporating conventional devices and accounting for the 
probabilistic threat-levels in PMU networks as in | |28) . 

• Developing a computationally superior method for faster 
dynamic state estimation for a power system, leveraging 
the inherent sparsity of the power network. 

B. What this Paper does not Address; Potential Solutions 

While the methods investigated in this paper address the 
interplay between DSE, unknown inputs reconstruction, and 
cyber-attacks detection and mitigation, there are two main 
challenges that are not addressed. 

The first challenge is the DSE for a nonlinear representation 
of the power system. In this paper, we use a linearized 
representation for the power system as: 

(a) Real-time state and UI estimates can be obtained in 
real-time, whereas for a highly nonlinear power system, 
these estimates require stricter assumptions and a stronger 
computational capabilities that guarantee the convergence 
of these estimates to their corresponding actual values; 

(b) Under dynamic UIs and CAs, the problem of estimating 
states for higher-order nonlinear power systems has never 
been addressed before in the literature. The majority of 
routines are based on Kalman filter derivatives, having 
major difficulties under unknown inputs given nonlinear 
systems. Eor the risk mitigation for nonlinear systems, 
efficient computational solutions will have to be devel¬ 
oped to ensure near real-time guarantees of the system’s 
observability—this is a research question related to our 
work in this paper, but is beyond this paper’s objectives. 

The second challenge is the incorporation of dynamic loads. 
We have assumed that the unknown inputs incorporate un¬ 
known quantities such as model uncertainties, linearization 
errors, and disturbances. We also illustrated that the derived es¬ 
timator successfully estimates these unknown quantities with¬ 
out prior knowledge on their distribution. However, variable 
loads may not be immediately incorporated in the linearized 
dynamic model, and if heavy loads are experienced during a 
cyber-attack, the linear system model might become invalid. 

To address these challenges, polytopic representations of 
power systems can be derived that capture various linearized 
representations corresponding to various loading conditions 
(for different time-periods), whereby the SMO can be designed 
given these conditions. Consequently, a unique observer gain 
can be computed that stabilizes the estimation error norm 
for all time-periods, considering variable loads and dynamic 


unknown inputs. In particular, a common Lq can be solved for 

different pairs of (A, Cp) matrices for different time-periods. 

This idea is analogous to designing a common controller gain 

for switched dynamical systems. 
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